Mobile application security is a difficult task, especially in large teams. The clever work of architects is essential here, which will provide security mechanisms for each of the “bricks” of the project, thereby providing multi-level product protection.
What does app security include?
These are all measures, including those that precede the development stage:
- Correct setting of the development and deployment cycle. This includes choosing a relevant development approach (Agile/Waterfall), applying DevOps best practices, and using trusted server hardware.
- The team should have one or more specialists responsible for information security.
- The generated security threat model – metrics that need to be constantly monitored, especially with each update or change in external factors. It should be understood that threat models will be different for different applications.
- We are using technical means of code security analysis.
- I am using a secure development environment.
What are the technical means of code security analysis?
The central layer of analyzers includes:
- Static are source code analyzers based on the Static Analysis Engine (SAST). Verification occurs without running the program itself at the intermediate stages of development or the assembly stage. SAST solutions include Synopsys, AppScan, Checkmarks, Veracode, Appercut, Application Inspector, and Micro Focus.
- Dynamic – applied to the finished code and focused mainly on web applications. They work based on dynamic security testing (DAST) by submitting a URL to an automatic scanner.
- It is integrated into CI (Continuous Integration) – scans static and dynamic code.
- Pentester tools.
How to create a secure development environment?
It is worth remembering that you can only ensure the security of an application comprehensively, so pay attention to each of the stages:
- Segment the network and organize the management of network passages.
- Set permissions for each role.
- Store passwords in a hashed form using a so-called salt.
- Organize secure remote access.
- Manage updates.
- Monitor and document.
- Anonymize important data when working with the database in test mode.
How about the security of mobile applications?
Secure mobile app development involves three steps.
- Firstly, it is essential to consider in advance what leads to vulnerabilities, and even during development, to provide for all preventive measures. So, to prevent data leakage, it is necessary to use cryptographic algorithms and multi-factor authentication, generate unpredictable session identifiers and store authorization tokens in the most secure parts of the operating system. The security of information transfer is carried out by confirming the reliability of communication sources, the correct versions of SSL, and negotiation checks. Access rights to hidden sections of the application should be given only to a narrow circle of specialists responsible for them.
- Next, you need to test the application for such vulnerabilities. Mostly white-box and black-box methods are used. White box method (SAST Statistical Security Testing) involves verification by a developer who has access to the code. The black box method analyzes only the user experience without evaluating the code. You can test manually or with the help of special services.
- And lastly, before actually working out the identified vulnerabilities, prioritize. First of all, fix the errors that prevent the application from working. Then there are critical bugs: system freezes or temporary crashes. Then look for errors that do not affect the work, for example, design flaws. At the very end, fix minor bugs.
What should a developer pay attention to protect the application from hacking?
It is better to take care of the security of the service at the earliest stages of its development.
One of the main steps to securing an application is limiting functionality on a per-user, need-to-know basis. This principle originated in the military environment but is also helpful in development: by observing it, you do not allow the user to receive more information than he needs.
No less important are the processes of code review and independent security analysis. Second, you can involve your security team, contact specialized companies, or add the application to the bug bounty program so that hundreds of researchers worldwide are constantly looking for bugs for you.
It is also essential to study the vulnerabilities of other people’s code that you contribute to the project: look at the issue on GitHub and check the product in the vulnerability database.
At the final stages of development, it will not be superfluous to protect the code from reading and disassembly. Here, too, there are time-tested techniques: from simple obfuscation to the use of assembler inserts and advanced debugger protection. Generally, it’s good practice to “clean up” code before sending it to production. After all, the user will not be helped by comments explaining how this or that call or function works. But for an attacker, this is a great help when analyzing a product. In addition, you should avoid prescribing various confidential data within the code itself. For example, it is not recommended to embed links with authorization data on the server for automated testing.
Mobile App Security Trends
Application of XDR solutions to improve the accuracy and productivity of protection systems
Advanced detection and response (XDR, X Detection, and Response, where X means that these tools respond to signals from any source) are emerging that automatically collect and correlate data received from several security systems. This allows you to detect threats and respond to incidents more effectively. For example, XDR tools can “understand” that malware injection attempts via email, endpoint, and network are one complex attack.
Process automation to eliminate repetitive tasks
The scarcity of trained security professionals and the availability of automation in security tools has led to an increase in automated processes that “self-sufficiently” solve problems based on predefined rules and patterns. These automated tools are much faster, more accurate than humans, and easy to scale. Security & Risk Management (SRM) leaders should invest in automation projects that help eliminate repetitive, time-consuming tasks so that employees can focus on more important security issues.
AI experts are indispensable.
The use of artificial intelligence, and especially machine learning, leads to further automation of processes and expands the range of options for human decision-making in the field of security and digital business.
However, these technologies require security expertise to address three key challenges: protecting AI-powered digital business systems, using AI in products and services to enhance security, and preventing malicious AI from being used.
Security chiefs are responsible for all aspects of security
The number of incidents, threats, and identified vulnerabilities outside traditional corporate IT systems has increased significantly in recent years. New threats have emerged, such as ransomware attacks on business processes, building management systems, GPS systems, “physical” systems, and IoT systems.
This prompted leading companies to reconsider their approaches to security issues, considering the digital world’s impact on the physical world since it is impossible to cope with all these threats by dealing only with information security issues. It is necessary to deploy information security management systems that use information from all data stores and integrate IT security, physical system security, supply chain security, product management security, etc., within one centralized model under a single control.
Ensuring privacy becomes a discipline in its own right.
Ensuring confidentiality is no longer just part of the legal or auditing realm. It is an increasingly effective separate discipline that affects all aspects of the activities of enterprises. This means that it must be implemented throughout the organization. In particular, it is integrated into corporate strategy management, linked to the work of the security service, production units, human resources, legal departments, etc.
New digital trust teams focus on integrating all communication channels
Consumers interact with companies through various channels (from social media to retail), which are constantly growing. How secure the consumer feels during each contact is extremely important for his perception of the brand.
Now, as a rule, each channel has its security service. However, to control all points of contact with the client, enterprises are increasingly moving to form cross-functional teams that must handle all interactions with the consumer and provide a standard level of security for each channel.
Protecting remote workers from potential attacks
The pandemic has spurred many trends, including the transition to remote work. Organizations face increasing attack surface and variety with so many employees working from home. Security is the top priority in this situation, but if companies want to maintain productivity, service degradation must also be prevented. Another problem is the lack of face-to-face communication. In today’s environment, employers may never meet their employees in person. As a result, more organizations are moving to zero-trust models that prioritize security, protect against social media attacks, and mitigate the potential threats associated with remoting.
Transition from local protection to the cloud
Cloud security services are becoming more and more popular. Secure Access Service Edge (SASE) technology allows enterprises to better protect mobile workers and cloud applications by routing traffic through cloud-based security solutions than in the “classic” incoming traffic processing in their own data center.
Cloud computing hasn’t yet reached the security maturity of on-premises systems, but excuses for being “new” are no longer accepted. Cloud computing is more than one year old, and profound experience in dealing with attacks has been accumulated in this area. Many organizations are looking to increase control over permissions in their cloud systems. At the same time, additional intra-industry and inter-industry coordination of efforts to optimize safety standards can be expected in the near future. Going to the cloud brings enormous benefits to companies in terms of scale and agility and forces them to take on the responsibility of protecting their cloud environments.
Build cloud application protections throughout their lifecycle
Often, the same security solution is used for a user server device and when transferring an application to the cloud using the “lift-and-shift” method (software replication to the cloud without redesigning it to take into account the features of the cloud architecture). But products designed from the ground up for the cloud require different security practices, which Gartner calls the Cloud Workload Protection Platform (CWPP).
Cloud solutions are often upgraded, so the means of protection must constantly change. Products responsible for the cloud security posture management process are abbreviated as CSPM (Cloud Security Posture Management).
Maintain readiness to prevent attacks on global supply chains
One of the consequences of the pandemic has been the continued disruption of global supply chains. This trend will continue throughout 2023. Meanwhile, attackers are looking for new approaches to information and communication platforms used to manage physical supply chains around the world, while their level of vulnerability is constantly increasing. Distributed denial-of-service attacks and ransomware are expected to increase in 2022, and organizations looking to limit the power of hackers will need to maintain a high level of preparedness.
“Zero trust” instead of virtual networks
The COVID-19 pandemic has highlighted many of the problems with traditional VPNs, and the concept of Zero Trust Network Access (ZTNA), which allows enterprises to control remote access to applications, has become increasingly popular. In doing so, the applications are “hidden” from the rest of the internet since the application only communicates with the ZTNA service provider and can only be accessed through the cloud service of the ZTNA provider. The full-scale deployment of ZTNA will be hampered by the fact that the enterprise, when working with ZTNA, must determine in advance which users and applications need to provide this kind of access.
To understand how to ensure the application’s security, you should study the most dangerous vulnerabilities, consider them at the development and testing stages, eliminate them if they are identified, and document all the problems found to avoid them in the future. Do not forget about analyzers and the security of the development environment itself.